This Data Processing Addendum (“DPA”) replaces the California Consumer Privacy Act Data Processing Addendum, amends the terms of and forms part of the BusPatrol America LLC (“BusPatrol”) Terms of Services or other agreement governing the use of the applicable BusPatrol cloud product(s) (the “Services”) by and between any BusPatrol client (the “Customer”) and BusPatrol. This DPA shall apply to Personal Information, as defined below, of a Consumer (referred to hereinafter as “Customer Data”) that BusPatrol processes in the course of providing Services under an agreement or otherwise.

Definitions

Consumer. “Consumer” means any natural person, however identified, including by any unique identifier.

Personal Information. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(a) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(b) Characteristics of protected classifications under state or federal law.
(c) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(d) Biometric information.
(e) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement
(f) Geolocation data.
(g) Audio, electronic, visual, thermal, olfactory, or similar information.
(h) Professional or employment-related information.
(i) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(j) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(k) Sensitive personal information.

“Personal Information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

“Personal Information” does not include consumer information that is de-identified or aggregated consumer information.

Selling personal information. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.
This shall not include the following circumstances: (i) a Consumer or Customer uses or directs BusPatrol to intentionally disclose personal information and/interact with one or more third parties; (ii) BusPatrol uses or shares an identifier for a Consumer who has opted out of the sale of the Consumer’s personal information or limited the use of the Consumer’s sensitive personal information for the purposes of alerting persons that the Consumer has opted out of the sale of the Consumer’s personal information or limited the use of the Consumer’s sensitive personal information; or (iii) BusPatrol transfers to a third party the personal information of a Consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this DPA.

Applicability and Precedence

BusPatrol understands the terms of this DPA and agrees to comply with them. In the event of any conflict between a purchase order, an agreement between BusPatrol and the Customer, and this DPA, the following order of precedence shall apply (in descending order): (i) the DPA (if applicable); (2) the agreement; and (3) the purchase order. There will be no force or effect to any different terms of any related purchase order or similar form even if signed by the parties to this DPA after the date hereof.

Effectiveness

This DPA will only be effective if submitted to BusPatrol accurately and in full accordance with this section. If Customer makes any deletions or other revisions to this DPA, it will be null and void.
Customer signatory represents to BusPatrol that he or she has the legal authority to bind the Customer and is lawfully able to enter into contracts.
This DPA will terminate automatically upon termination of any agreement between BusPatrol and the Customer or as earlier terminated pursuant to the terms of this DPA.

Data Processing

Customer’s Role. The Customer is a not for profit entity that determines the purpose and means of processing Customer Data. Customer will provide Customer Data to BusPatrol solely for the purpose of BusPatrol performing the Services.
BusPatrol’s Role. BusPatrol shall provide the Services and process any Customer Data in accordance with any applicable Customer agreement. BusPatrol may not retain, use, or disclose Customer Data for any purpose other than for providing the Services and in performance of such agreement.

Data Processing, Transfers, and Sales. BusPatrol will process Customer Data only as necessary to perform the Services, and will not, under any circumstances, collect, use, retain, access, share, transfer, or otherwise process Customer Data for any purpose not related to providing such Services. BusPatrol will refrain from taking any action that would cause any transfers of Customer Data to or from BusPatrol to qualify as “selling personal information” as defined above.

Sub-Service Providers. Notwithstanding the restrictions in Section 4.3, Customer agrees that BusPatrol may engage subcontractors and/or consultants to assist in providing the Services to Customer (“Sub-Service Providers”).

Security. BusPatrol will use commercially reasonable security procedures that are reasonably designed to maintain an industry-standard level of security and will prevent authorized access to or disclosure of Customer Data.

Retention. BusPatrol will retain Customer Data only for as long as the Customer deems it necessary for the permitted purpose, or as required by applicable. At the termination of this DPA, or upon Customer’s written request, BusPatrol will either destroy or return Customer Data to the Customer, unless legal obligations require storage of the Customer Data.

Consumer Rights Request. All consumer rights requests, including requests for deletion of Customer Data, should be sent to info@buspatrol.com.

Assistance with Consumers’ Rights Request. If BusPatrol, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under any consumer protection statute in relation to that Consumer’s Customer Data, BusPatrol will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with Consumers in relation to such requests.

Assessments & Third-Party Certifications

Impact Assessment Assistance. Taking into account the nature of the Processing and the information available, BusPatrol will provide assistance to Customer in complying with its obligations under all applicable laws which address obligations with respect to security, breach notifications, data risk assessments, and prior consultation.
Certification/SOC Report. In addition to the information contained in this DPA, upon Customer’s request, and subject to the confidentiality obligations set forth in the the agreement between Customer and BusPatrol, BusPatrol will make available to following documents regarding the System and Organization Controls (“SOC”) 2 Report (or the reports or other documentation describing the controls implemented by BusPatrol that replace or are substantially equivalent to the SOC 2) so that Customer can reasonably verify BusPatrol’s compliance with its obligations under this DPA.

Enforceability.

Any provision of this DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof. The Parties will make a good faith effort to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision in this DPA.

Liability.

To the extent permitted by applicable laws, liability arising from claims under this DPA will be subject to the terms of the agreement between Customer and BusPatrol.